Hi Bill
> i was reading through the saml glossary that jeff hodges posted some
> time back and noticed that the description for the term AUTHORIZATION in
> part states:
>
> "...The (act of) granting of access rights to a subject (for example, a
> user, or program)."
just my 2 cents. the definition in the saml glossary seems restrictive.
i think we do want to include authorizations that refer to the requestor's
properties (like being a member_of_acm, or a airline_frequent_flyer).
in a global distributed scenario, unknown users can present requests and
the access decision may indeed depend on properties they can present by
means of certificates rather than on their identity (there are also
situtaions in which you want to be able to process requests while
maintaining anonymity of requestors).
Authorizations can more generally grant access rights to a set of subjects
holding some properties.
in this respect i agree with the fact that it is too restrictive to
require user identity.
best
-p
>
> this implies that a subject must exist for a policy to be executed
> since:
>
> 1. an authorization is directly derived from a policy
> 2. the only input for this derivation is the policy (the subject cannot
> come from another source)
> 3. the definition above states that an authorization acts upon a subject